All Products
Search

This Product

    Container Compute Service:Specify vSwitches and security groups for pods

    Document Center

    Container Compute Service:Specify vSwitches and security groups for pods

    Last Updated:Jan 24, 2025

    By default, pods use the vSwitches and security groups of the cluster. If you have other requirements, you can add pod annotations to specify vSwitches and security groups.

    Specify vSwitches

    You can specify multiple vSwitches when creating an ACS cluster to improve the availability of the cluster. By default, when ACS creates a pod, it randomly selects a cluster vSwitch and then allocates an IP address from the CIDR block of the vSwitch to the pod. If you have other requirements, add the following pod annotation to specify vSwitches.

    Pod Annotation

    Description

    network.alibabacloud.com/vswitch-ids: "vsw-xx1,vsw-xx2"

    Specifies vSwitches for pods. The annotation must meet the following requirements:

    • You must specify the vSwitches of the cluster.

    • You can specify one or more vSwitches. If multiple vSwitches are specified, ACK attempts to create pods in the specified vSwitches in sequence.

    The annotation must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add the annotation to the spec.template.metadata section. The following code provides an example:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-vsw
  labels:
    app: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      name: nginx-test
      labels:
        app: nginx
      annotations:
        network.alibabacloud.com/vswitch-ids: "vsw-uf65vd1j5iml8ydw3****"
    spec:
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginx:latest
        ports:
        - containerPort: 80

    Specify a security group

    When you create an ACS cluster, the system automatically specifies a security group. By default, when ACS creates a pod, it automatically adds the ENI of the pod to the security group of the cluster. This means that the pod is added to the security group. If you have other requirements, you can add the following pod annotation to specify a security group.

    Note

    You can also modify the security group rules of pods to control inbound and outbound traffic. For more information, see Add a security group rule.

    Pod Annotation

    Description

    network.alibabacloud.com/security-group-ids: "sg-xx1"

    Specifies a security group for pod.

    The annotation must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add the annotation to the spec.template.metadata section. The following code provides an example:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-sg
  labels:
    app: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      name: nginx-test
      labels:
        app: nginx
      annotations:
        network.alibabacloud.com/security-group-ids: "sg-uf6f7toxvc6qhlnf****"
    spec:
      containers:
      - name: nginx
        image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginx:latest
        ports:
        - containerPort: 80